What is our primary use case?
The organization that I worked for is a very old organization. We had 30 years of experience with a lot of websites on many of different technologies, so we looked for a product that could handle the ten different technologies we had to support. We used it as a WAF, a web application firewall for all of our websites.
How has it helped my organization?
When you have a problem that you want to verify, what's important is the time that it takes you to actually find it. If it takes you more than few minutes, or it takes you an hour, or if you need to call their support to get answer, that can be problematic. If you can do it yourself, it means that it's easy. It saved us a couple of hours a week.
Before Reblaze, we worked with and used a number of products. We had one product for reverse proxy, one product for load-balancing, and another product as a web application firewall. We combined them all into one product, into the Reblaze platform. That helped reduce costs a lot. For example, we stopped using the F5 as a load balancer. We only had one F5, so by stopping use of it we ruled out the single-point-of-failure issue. And, of course, it saved us not only the direct cost of paying the vendor, but the cost of maintaining another environment as well, including eliminating backups, upgrades, etc. It saved us a lot of time and money. I worked for an educational institute so the pricing was different, but it saved us thousands of dollars a year.
The presentation of all the traffic, not just the blocked requests, helped our monitoring operations. Because we had very old platforms, the code was not written "by the book" and it was not, for example, HTTP-compliant. We wanted to roll out the solution very fast without false positives. Reblaze was a single, unified platform that helped us a lot in doing that.
We supported consumers and users at home and in schools, and when you work with end-users, the variety of their computers is amazing. Each one had a different browser, a different operating system. The combinations are infinite. Reblaze helped us to see the different combinations and it helped us to better understand which combinations we had a problem with. It helped us a lot to identify end-users' problems, whether it was a specific operating system or a specific combination of the operating system and browser version.
We didn't experience any major performance issues. The caching mechanism helped us a lot. It sent fewer requests to the front-end server and it cached all the static objects. It saved a lot of traffic into our network. It helped saved money by optimizing our server usage. We were able to use fewer resources on our side. It saved us about $15,000 to $20,000 a year in computing resources that we didn't need because we had the reverse proxy, the caching mechanism.
We used the platform as a CDN as well. We installed them outside our network so we could bring in only clean traffic, and only traffic for known static objects. It saved us a lot of traffic and we got only clean traffic. That meant we could use lower models of firewalls because the Reblaze WAF service blocked a lot of unnecessary traffic from coming into our network.
What is most valuable?
The most valuable features were the real-time monitoring and the management. With this kind of product, you need a very good management system to allow you to see false positives in real-time; to see what's happening in real-time. If you have a block, you need to understand what is being blocked and why. You need a very good management system to support that. The clarity stood out. It was very visible and very easy to navigate; very easy to find the data we were looking for.
What needs improvement?
Perhaps the automatic reporting could be better. I would like to have seen more automated reports. Maybe it has been improved in the last year and I'm just not aware of it. But from a managerial point of view, you want a summary report, a weekly report: How many attacks were blocked? How much bandwidth was saved due to the caching mechanism? What were the top-ten attacks that were tested on the network, etc? I could most likely have found all that data if I logged in to the system and ran different reports. It would be very helpful to get a management report on a weekly basis.
For how long have I used the solution?
We were using it at my last company for about three years. I moved to another company about ten months ago, so currently, I'm not using Reblaze.
What do I think about the stability of the solution?
We had no real-time issues ever, due to the system. We had problems because of our programming team, upgrading the components without testing it first, moving it to production, and then something would be blocked because it was not tested.
For example, we had false positives when Google Chrome was upgraded and specifically asked for new parameters or was doing more validation. Then, we were stuck and we needed to do more whitelisting.
What do I think about the scalability of the solution?
In the first year, the scalability was very low. We were one of the first customers that they created front-end load balancers for. The initial solution was a static DNS solution. Only after a year did they provide front-end load balancer servers to spread the load in a much smarter way. Now, it's fully scalable.
The end-users were all the school-age students in Israel, about 2 million students. We had 1.2 million distinct users a month. There was no problem with scalability in that aspect.
How are customer service and technical support?
Every time that you call, you get an answer from an expert, not a level-one, or level-two, or level-three. You are getting answers from an expert in the system. It's someone who knows a bit of coding, knows what to do, what to recommend, and who helps you in real-time. That was their standard support, unless they have changed it since I last used it.
Which solution did I use previously and why did I switch?
F5 was the load balancer which Reblaze replaced and the reverse proxy it replaced was Squid. The WAF that we used was Sucuri. We had a couple of web application firewalls which were SaaS services. One service, for example, was for the PHP websites, and another one was for SharePoint. We had to use different services because each one worked with just one platform.
The biggest difference between Sucuri and Reblaze was that Sucuri was a one-stop-shop for a lot of attacks. It was blocking the DDoS attacks, pattern attacks, behavioral attacks, automated attacks. It was blocking a lot of different attacks in one product. That was the benefit for us.
We knew of Reblaze because one of the founders of the company, was a vendor of mine when at a different company.
How was the initial setup?
The initial setup was very complex, but because of our side. We had very old platforms and our programming staff wasn't strict about implementing normal programming procedures. So we had to do a lot of whitelisting and a lot of changes in our code to be compliant and to have minimal security on our side.
For example, they still support ASP websites; not even .NET. We needed to whitelist a lot of things, such as moving parameters on the URL. That's something you don't do anymore in coding.
Our deployment took around seven to eight months, but we had something like 250 websites. It was not one website. Where CNN, which is one of the biggest, major websites in the world, has one major website that's called "cnn.com," we had more than 200 websites in ten or 15 different technologies. We had WordPress, Drupal, PHP, our native PHP, .NET, ASP, SharePoint and more that we had to support. It's a unique environment and that's why we were looking for a solution.
What helped us a lot is their support team. That is the major benefit of Reblaze; not the technology, not the product — the support team. That's what we were paying for.
Our implementation strategy was to move a couple of websites. We didn't have a QA site or pre-production site for all of our systems. So we had to move a lot of our environments in real-time, in a monitoring mode, and see what was going to be blocked. We then whitelisted that and moved into production and saw what was being blocked for our user.
On our IT side, three people — not full time, of course — were involved in the setup. And from our programming environment, there were about 20 different people, but not at the same time. From Reblaze's side, we worked with three to four different guys. Not more than that because they knew our environment.
In terms of day-to-day maintenance, for load-balancing, caching, and supporting the whole system, we required about 30 to 35 percent of one full-time job. The maintenance is not low. Our QA team, of course, were also users of Reblaze. They knew how to work with the system and how to configure the system because they worked on testing the websites with Reblaze.
Reblaze manages the solution so we didn't need to follow which version we were on. It's a bit different than a normal IT product where you need to upgrade it. It was a managed service for us. In our case, it was in our private cloud. That was a bit different than for other customers, but for us, it was on our private cloud.
What was our ROI?
It's a bit hard to speak about ROI when you are speaking about our security. You don't know what you are blocking. You only know if something happens to your network. We had no penetration into our network ever. That was the main issue.
Because we were dealing with students' data, in Israel we have regulations, like GDPR, but a bit different. It helped us to pass all the tests we needed to pass, and we were able to file all the legal documents with the government because we had this system. The system answered something like 25 different security chapters in the regulations.
What's my experience with pricing, setup cost, and licensing?
In Israel, as an educational organization, the pricing, hardware- and software-wise, was very low. The educational market in Israel has very different pricing compared to other markets.
Also, it was a multi-payment model. It was not like we needed to buy a license. We paid on a monthly basis. It's pay-as-you-grow. I don't know what the licensing model is today.
Thirdly, unlimited support was included. We didn't have to pay for Professional Services hours.
Finally, we had a very good termination agreement. We could leave, if I remember correctly, on 60 days' notice.
Beyond the cost of the product, we paid for the hardware. That was our decision. Again, it was private cloud, so we were paying for the computing resources.
Which other solutions did I evaluate?
We also looked into Imperva and F5 ASM. Reblaze stood out because of the support. We had a very complicated environment. We needed somebody that would help us configure and help us to implement our websites into the system. There were also budget issues. And it was very helpful for us because we wanted a local installation, not a cloud installation.
Another factor was that we were one of their first customers, so we knew we had an opportunity to impact the product. If we wanted a feature, we knew that somebody would at least listen to us. Of course they would think about whether that would be beneficial for other customers or not, but at least there was someone who would listen to us, feature-wise.
The security-to-cost ratio, when compared with competitors, is much better. Today, I'm working for an integration company and we are selling F5. I see the complexity. I see how much manpower I need and how many hours a month I'm selling to my customers for Professional Services to support their ASM. F5 is not the easiest product ever. I totally see the benefit of Reblaze.
What other advice do I have?
Go ahead and use it. We took a chance because, when we started with Reblaze, it was a young company. With a young company, you don't know if it will be there in two years. It was risky because to implement the system takes six months. To move to another platform would take another six months. So it was a risk. Today, there is no risk. Reblaze stands on its own. Its income is stable from customers. It's not only investors' money today. Reblaze has a lot of customers and its teams are much bigger.
My primary advice is to have the coding team, the programming team, with you from the first minute, because they will need to support you. It's not just an IT task. It seems to be, but it's not. It's also a task for the programming team. You will need QA resources which, in most cases, are provided by the programming team. You also need architecture teams. You need to work much more closely with all these teams than we initially thought, when implementing this kind of solution.
- how much time you can save and the resources required
- the stability and
- the support.
Those are the three main factors for me. And in these three factors, Reblaze excels.
Which deployment model are you using for this solution?